DHS' guide to managing Domain Name System risks

By William Jackson

Jun 17, 2011

The Homeland Security Department has released a report detailing the most serious risks to the Domain Name System that underlies the Internet, with recommendations for how industry and government can mitigate those risks.

DHS, charged in the National Infrastructure Protection Plan of 2006 with developing uniform policies for integrating risk management in infrastructure protection, has been working with private-sector representatives to develop the plans. DHS and the IT Sector Coordinating Council in producing the report.

DNS is a hierarchy of name servers that links host and domain names used in e-mail addresses and URLs to Internet Protocol. Because it underlies almost every Internet transaction, it was identified as a critical function in the IT Sector Baseline Risk Assessment, published in 2009.

The assessment identified risks to DNS, such as the breakdown of a single interoperable Internet through either an attack or a failure of governance policy, and large scale denial-of-service attacks on the DNS infrastructure. Recommended mitigations include outreach and education programs, improved information sharing between stakeholders, creation of a more versatile and robust infrastructure, and improvements in the visibility of the infrastructure.

Because almost all Internet communications rely on the DNS, it is one of the most critical protocols to the IT infrastructure. In addition to attacks against DNS itself, attacks causing national-level impact to other elements of the IT infrastructure could easily cause collateral damage to DNS. A decrease in interoperability could have significant and lasting economic and national security consequences.

Not all risks would come from malicious attacks. National policy failures also could result in the fragmentation of the Internet.

“Breakdown of the single root zone structure and the creation of alternate roots would have significant implications to international trade since the global free flow of electronic information would be hampered,” the report states.

Recommended mitigations such a breakup include:

Implementing Internationalized Domain Names that could help reduce the likelihood of root fragmentation by allowing communities whose primary language is not based on Latin characters to use their own language and script. The Internet Corporation for Assigned Names and Numbers has approved 13 country and territory applications in the evaluation phase, and several IDN strings have entered into the root zone, which could relieve foreign pressure to develop an alternate root system.

Increase information sharing and use global forums such as the DNS Symposium on Security, Stability, and Resiliency to bring stakeholders together to discuss issues impacting the Internet.

Use a DNS Dashboard to enable the continuous real-time monitoring of production equipment by network operation centers to anticipate and protect DNS infrastructure from malware attacks.

Developing and implementing automation software to process root zone changes to help depoliticize changes to the root zone.

Establish norms of behavior for cyberspace, including an international Joint Cyber Risk Reduction Center to serve as a focal point for sharing information and act as an intermediary during times of crisis, and criminalizing the distribution of offensive cyberattack weapons.

Establish DNS CERT capability for the entire DNS infrastructure.

To mitigate a large scale denial of service attack the report recommends:

Performing a gap analysis to determine what information is needed to assess the DNS infrastructure’s health.